b'                                    UNITED STATES\n                        NUCLEAR REGULATORY COMMISSION\n                                 WASHINGTON, D.C. 20555-0001\n\n\n\n\nOFFICE OF THE\nINSPECTOR GENERAL\n                                   May 7, 2014\n\n\n\n\nMEMORANDUM TO:              Mark A. Satorius\n                            Executive Director for Operations\n\n\n\n\nFROM:                       Stephen D. Dingbaum /RA/\n                            Assistant Inspector General for Audits\n\n\nSUBJECT:                    AUDIT OF NRC\xe2\x80\x99S CYBER SECURITY INSPECTION\n                            PROGRAM FOR NUCLEAR POWER PLANTS\n                            (OIG-14-A-15)\n\n\nThe Office of the Inspector General (OIG) conducted this audit to determine the\nadequacy of the Nuclear Regulatory Commission\xe2\x80\x99s (NRC) cyber security inspection\nprogram for nuclear power plants. Through interviews with NRC staff, analysis, and\ndirect observation, OIG auditors determined that NRC has adequate management\ncontrols in place for the cyber security inspection program. Therefore, OIG makes no\nrecommendations.\n\nBACKGROUND\n\nNRC\xe2\x80\x99s Role in Power Plant Cyber Security Oversight\n\nCyber threats to NRC licensees are dynamic and multi-dimensional due to the\ncontinuously evolving capabilities of potential adversaries and emerging technologies.\nPotential adversaries run the gamut from nation-state actors to individuals. Recent\nthreats against international nuclear facilities, such as Stuxnet and Duqu, are examples\nof malware specifically targeting control systems that operate industrial facilities, such\nas nuclear power plants.\n\x0c                               Audit of NRC\xe2\x80\x99s Cyber Security Inspection Program for Nuclear Power Plants\n\n\n\nThe purpose of cyber security is to detect and then eliminate or mitigate vulnerabilities\nin digital systems that could be exploited either from outside or inside of a plant\xe2\x80\x99s\nprotected area. Licensees operating a nuclear power plant are required to provide high\nassurance that digital computer and communication systems and networks are\nadequately protected against cyber-attacks in accordance with 10 Code of Federal\nRegulations 73.54, which is also known as the \xe2\x80\x9cCyber Security Rule.\xe2\x80\x9d\n\nIn January 2013, NRC issued Temporary Instruction 2201/004 and began cyber\nsecurity inspections of nuclear power plants in accordance with the Cyber Security\nRule. The Cyber Security Rule required nuclear power plants licensed by NRC to\nsubmit a Cyber Security Plan with a proposed implementation schedule to the\nCommission for review and approval. However, the rule did not mandate an effective\ndate for implementation of licensees\xe2\x80\x99 cyber security programs. As a result, NRC staff\nworked with the nuclear power industry to develop seven interim implementation\nmilestones (i.e., Milestones 1-7) based on organizational and technical security\ncontrols to be used while licensees prepare for full implementation, which NRC and\nlicensees commonly refer to as \xe2\x80\x9cMilestone 8.\xe2\x80\x9d NRC expects licensees to implement\ntheir respective Milestone 8 cyber security programs beginning in late calendar year\n2014 through the end of calendar year 2017. NRC\xe2\x80\x99s Milestone 8 inspections will occur\non a rolling basis as licensees come into full compliance with their regulatory\ncommitments.\n\nThe Cyber Security Directorate of the Office of Nuclear Security and Incident\nResponse oversees activities related to the cyber security inspection of NRC\nlicensees, which are managed at the regional level. Headquarters staff and security\nrisk analysts provide support to inspectors based in NRC\xe2\x80\x99s four regional offices.\nCyber security specialists under contract to NRC serve as technical advisors to the\nNRC teams and assist with some inspection tasks.\n\n\nNRC Interim and Full Implementation Cyber Security Inspections\n\nIn January 2013, NRC issued Temporary Instruction 2201/004 and staff began cyber\nsecurity inspections at nuclear power plants using Temporary Instruction guidance that\nwas developed specifically for assessing licensees\xe2\x80\x99 interim cyber security programs\naccording to Milestone 1-7 criteria. NRC inspection teams spend two separate weeks\nonsite at nuclear power plants for each cyber security inspection. During the first week,\ninspectors obtain and review documentation, and familiarize themselves with a plant\xe2\x80\x99s\ncyber security program, personnel, and layout. During the second week onsite, NRC\n\n\n\n\n                                              2\n\x0c                                              Audit of NRC\xe2\x80\x99s Cyber Security Inspection Program for Nuclear Power Plants\n\n\n\nteams perform followup and verification tasks, and present conclusions of their work to\nlicensees. In cases where inspection teams identify tentative findings, they present the\nfindings to licensees during the second inspection week, and then submit the findings\nfor review by NRC\xe2\x80\x99s Security Issues Forum. 1\n\nNRC has allocated 1.5 Full Time Equivalents each to Regions I, III, and IV for cyber\nsecurity inspections; Region II has been allocated 2 Full Time Equivalents because of\nits additional responsibility for new reactor construction inspections. Region-based\nteams are supported by headquarters staff as well as NRC cyber security contractors.\nAs of December 2013, NRC had conducted 21 cyber security inspections among all 4\nregions. Each 2-week inspection for Milestones 1-7 requires approximately 64 hours.\n\nNRC staff members have developed a new draft Temporary Instruction to be used in\nMilestone 8 pilot inspections, which are planned to begin in the spring of Calendar Year\n2015.\n\nOBJECTIVE\nThe audit objective was to determine the adequacy of NRC\xe2\x80\x99s cyber security inspection\nprogram for nuclear power plants.\n\nRESULTS\n\nThe audit determined that NRC has adequate management controls in place for the\ncyber security inspection program. 2 Although OIG did not identify any findings or make\nany recommendations, this report describes specific challenges related to resource\nmanagement and inspection guidance as NRC moves toward full implementation of its\ncyber security inspection program.\n\nNRC Cyber Security Inspection Program Has Adequate Management Controls\n\nThe Cyber Security Rule took effect in 2009 and established regulatory requirements for\nthe nuclear power industry. Subsequent to the rule, NRC:\n\n     \xe2\x80\xa2    Developed, in consultation with industry, an interim inspection program based on\n          technical milestones.\n1\n  NRC created the Security Issues Forum to provide a means for regional and headquarters staff to discuss security findings and to\npromote regulatory consistency. NRC is currently paneling all cyber security inspection findings through the Security Issues Forum\nto ensure proper handling and use of enforcement discretion before final disposition of findings.\n\n2\n Management controls include organizational structure and delegation of authority, human capital management, program\nmonitoring, and communication with internal and external stakeholders.\n\n\n\n                                                                3\n\x0c                                                Audit of NRC\xe2\x80\x99s Cyber Security Inspection Program for Nuclear Power Plants\n\n\n\n     \xe2\x80\xa2    Created a preliminary inspector training program for headquarters- and region-\n          based staff.\n\n     \xe2\x80\xa2    Performed pilot inspections at nuclear power plants and used those inspections\n          to test and develop interim inspection guidance.\n\n     \xe2\x80\xa2    Created a Cyber Security Directorate within the Office of Nuclear Security and\n          Incident Response to consolidate program management in a single organization\n          at NRC.\n\n     \xe2\x80\xa2    Issued multiple supplementary guidance documents for use by NRC staff and\n          licensees.\n\n     \xe2\x80\xa2    Engaged industry stakeholders through conferences and staff meetings.\n\n\nResource Management and Guidance Challenges as the Program Moves Into Full\nImplementation\n\nResource Challenges\n\nMilestone 8 will expand the current scope of cyber security inspections and create\nresource management challenges for NRC. Currently, NRC\xe2\x80\x99s inspection scope is\nlimited to critical digital components and systems3 associated with target set\nequipment. 4 Milestone 8 inspections will expand inspection scope to cover all critical\ndigital components and systems with a safety, security, and emergency preparedness\nfunction. In addition, NRC will begin inspecting \xe2\x80\x9cbalance of plant\xe2\x80\x9d equipment, 5 which\ntraditionally falls under Federal Energy Regulatory Commission jurisdiction. Although\nNRC provided initial cyber security training to inspectors in 2012, establishment of a\nformalized cyber security inspection training program has been delayed, due in part to\n\n\n\n\n3\n NRC guidance refers to \xe2\x80\x9ccritical digital assets,\xe2\x80\x9d which are defined as digital assets that must be protected against cyber attacks in\naccordance with 10 Code of Federal Regulations 73.54.\n4\n  A target set is defined as a minimum combination of equipment or operator actions that, if prevented from performing their\nintended safety function or prevented from being accomplished, would likely result in radiological sabotage. Specifically, this entails\nsignificant core damage or a loss of coolant and exposure of spent fuel, barring extraordinary actions by plant operators.\n\n5\n  \xe2\x80\x9cBalance of plant\xe2\x80\x9d refers to the interface between a power plant and the electrical grid, such as electrical distribution equipment\nleading out to a plant\xe2\x80\x99s first inter-tie with the offsite distribution system.\n\n\n\n\n                                                                   4\n\x0c                                              Audit of NRC\xe2\x80\x99s Cyber Security Inspection Program for Nuclear Power Plants\n\n\n\nfunding issues. 6 In addition, NRC staff cited recruitment and retention as challenges,\nwith several inspectors having retired or become eligible for retirement in 2013. NRC\nmanagers must balance these issues with inspection requirements for other programs,\nparticularly at NRC regional offices, where inspectors also work in other oversight\nprograms like fire protection and physical security. Recruiting, retaining, and training\nadequate numbers of inspectors with appropriate skills, and determining the appropriate\nlevel of contractor support for inspections, is important to ensuring that NRC inspection\nteams are adequately staffed to conduct Milestone 8 inspections thoroughly and\nconsistently in accordance with NRC standards.\n\nGuidance Challenges\n\nNRC faces challenges as it develops guidance for use by inspectors as well as\nlicensees. In particular, sampling guidance for inspectors will become especially\nimportant with the expanded scope of Milestone 8 inspections. Sound sampling\nmethodology can help inspectors perform thorough inspections and reduce reliance on\nprofessional judgment in sample selection. For instance, some staff told auditors that\nthey did not understand the basis for the current sampling methodology, while others\nsaid that sample selection depends considerably on professional judgment and time\navailable to perform inspection work. NRC is working to address this issue, in part\nthrough endorsement of industry-developed guidance for \xe2\x80\x9cconsequence based analysis\xe2\x80\x9d\nof critical digital assets. Further, regulatory guidance that clearly articulates NRC\xe2\x80\x99s\nregulatory position is important to prevent misinterpretation by licensees of regulatory\nstandards.\n\nDuring early Milestone 1-7 inspections, some licensee performance problems were\nreportedly attributable to lack of alignment between industry and NRC guidance, as well\nas misinterpretation by licensees of key technical definitions. Licensees bear\nconsiderable implementation costs, and want assurance that their cyber security\ninvestments help them satisfy regulatory commitments. Creating inspection guidance is\nan iterative process, and using lessons learned from pilot inspections is critical to\ndeveloping guidance that helps inspectors do their work effectively while facilitating\nlicensee compliance with NRC regulations. NRC can thus enhance the transparency of\nMilestone 8 inspections and foster regulatory stability by issuing clear guidance that\nincorporates lessons learned from prior inspections.\n\n\n6\n  NRC\xe2\x80\x99s Technical Training Center plans to begin a training needs assessment in October 2014, and will develop a training program\nfor NRC inspectors based on results of this assessment. The new cyber security inspection training program is projected to be ready\nby summer 2015.\n\n\n\n\n                                                                5\n\x0c                               Audit of NRC\xe2\x80\x99s Cyber Security Inspection Program for Nuclear Power Plants\n\n\n\nCONCLUSION\n\nOIG conducted this audit to determine the adequacy of NRC\xe2\x80\x99s cyber security inspection\nprogram for nuclear power plants. Through interviews with NRC staff, analysis, and\ndirect observation, OIG auditors determined that NRC has adequate management\ncontrols in place for the cyber security inspection program. Therefore, OIG makes no\nrecommendations.\n\nAGENCY COMMENTS\n\nAn exit conference was held with the agency on April 25, 2014. Prior to this meeting, a\ndiscussion draft was distributed to the agency for comment. Agency staff had no formal\ncomments for inclusion in this report.\n\nSCOPE AND METHODOLOGY\n\nTo address the audit objective, auditors reviewed and analyzed pertinent law,\nregulations, authoritative guidance, NRC policies and procedures, inspection reports,\nand prior relevant NRC OIG reports. Guidance reviewed included the following:\n\n   \xef\x82\xa7   Government Accountability Office Standards for Internal Control in the Federal\n       Government.\n\n   \xef\x82\xa7   Title 10 Code of Federal Regulations, Part 73, Section 73.54.\n\n   \xef\x82\xa7   Management Directive 11.1, NRC Acquisition of Supplies and Services.\n\n   \xef\x82\xa7   Inspection Manual Chapter 1245, Qualification Program For Operating Reactor\n       Programs.\n\n   \xef\x82\xa7   Temporary Instruction 2201/004, Inspection of Implementation of Interim Cyber\n       Security Milestones 1-7.\n\n   \xef\x82\xa7   Regulatory Guide 1.152, Criteria for Use of Computers in Safety Systems of\n       Nuclear Power Plants.\n\n   \xef\x82\xa7   Regulatory Guide 5.71, Cyber Security Programs for Nuclear Facilities.\n\n   \xef\x82\xa7   NRC Security Frequently Asked Questions for Milestones 1-7.\n\n\n\n                                              6\n\x0c                                Audit of NRC\xe2\x80\x99s Cyber Security Inspection Program for Nuclear Power Plants\n\n\n\n   \xef\x82\xa7   National Institute of Standards and Technology Special Publication 800-53\n       Revision 4, Security and Privacy Controls for Federal Information Systems and\n       Organizations.\n\n   \xef\x82\xa7   Nuclear Energy Institute 08-09, Cyber Security Plan for Nuclear Power Reactors.\n\nOIG auditors interviewed managers, inspectors, and other program staff from NRC\nheadquarters and all four NRC regional offices, both in person and by telephone, to gain\nan understanding about the qualifications of the inspectors and management staff for\ncyber security inspections. OIG interviewed NRC staff responsible for inspection\ntraining to assess the agency\xe2\x80\x99s progress in formalizing the cyber security inspection\ntraining program. OIG interviewed industry representatives and licensee personnel to\ngather external perspectives on program performance and NRC management\xe2\x80\x99s\nreceptivity to industry concerns. OIG also reviewed NRC contract documentation for\ncyber security technical support. During this audit, OIG observed cyber security\ninspections at two nuclear power plants: Quad Cities Nuclear Power Station in Cordova,\nIL, and Vogtle Electric Generating Plant in Waynesboro, GA. Prior to starting this audit,\nOIG attended cyber security inspection training provided to NRC staff at Idaho National\nLaboratory and observed cyber security inspections at Calvert Cliffs Nuclear Power\nPlant in Lusby, MD, and at Oconee Nuclear Station in Oconee County, SC.\n\nOIG conducted this performance audit from October 2013 through March 2014 at NRC\nheadquarters in Rockville, MD, and at licensee facilities. Internal controls related to the\naudit objective were reviewed and analyzed. Throughout the audit, auditors were aware\nof the possibility or existence of fraud, waste, or abuse in the program. We conducted\nthis performance audit in accordance with generally accepted Government auditing\nstandards. Those standards require that we plan and perform the audit to obtain\nsufficient and appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objective. We believe that the evidence obtained\nprovides a reasonable basis for our findings and conclusions based on our audit\nobjective. The audit was conducted by Beth Serepca, Team Leader; Paul Rades, Audit\nManager; Ziad Buhaissi, Senior Auditor; and Neil Doherty, Senior Analyst.\n\n\n\n\n                                               7\n\x0c'